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             A String Representation of LDAP Search Filters

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   The Lightweight Directory Access Protocol (LDAP) [1] defines a
   network representation of a search filter transmitted to an LDAP
   server.  Some applications may find it useful to have a common way of
   representing these search filters in a human-readable form.  This
   document defines a human-readable string format for representing LDAP
   search filters.

1.  LDAP Search Filter Definition

   An LDAP search filter is defined in [1] as follows:

     Filter ::= CHOICE {
             and                [0] SET OF Filter,
             or                 [1] SET OF Filter,
             not                [2] Filter,
             equalityMatch      [3] AttributeValueAssertion,
             substrings         [4] SubstringFilter,
             greaterOrEqual     [5] AttributeValueAssertion,
             lessOrEqual        [6] AttributeValueAssertion,
             present            [7] AttributeType,
             approxMatch        [8] AttributeValueAssertion
     }

     SubstringFilter ::= SEQUENCE {
             type    AttributeType,
             SEQUENCE OF CHOICE {
                     initial        [0] LDAPString,
                     any            [1] LDAPString,
                     final          [2] LDAPString
             }
     }
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     AttributeValueAssertion ::= SEQUENCE
             attributeType   AttributeType,
             attributeValue  AttributeValue
     }

     AttributeType ::= LDAPString

     AttributeValue ::= OCTET STRING

     LDAPString ::= OCTET STRING

   where the LDAPString above is limited to the IA5 character set.  The
   AttributeType is a string representation of the attribute object
   identifier in dotted OID format (e.g., "2.5.4.10"), or the shorter
   string name of the attribute (e.g., "organizationName", or "o").  The
   AttributeValue OCTET STRING has the form defined in [2].  The Filter
   is encoded for transmission over a network using the Basic Encoding
   Rules defined in [3], with simplifications described in [1].

2.  String Search Filter Definition

   The string representation of an LDAP search filter is defined by the
   following BNF.  It uses a prefix format.

     <filter> ::= '(' <filtercomp> ')'
     <filtercomp> ::= <and> | <or> | <not> | <item>
     <and> ::= '&' <filterlist>
     <or> ::= '|' <filterlist>
     <not> ::= '!' <filter>
     <filterlist> ::= <filter> | <filter> <filterlist>
     <item> ::= <simple> | <present> | <substring>
     <simple> ::= <attr> <filtertype> <value>
     <filtertype> ::= <equal> | <approx> | <greater> | <less>
     <equal> ::= '='
     <approx> ::= '~='
     <greater> ::= '>='
     <less> ::= '<='
     <present> ::= <attr> '=*'
     <substring> ::= <attr> '=' <initial> <any> <final>
     <initial> ::= NULL | <value>
     <any> ::= '*' <starval>
     <starval> ::= NULL | <value> '*' <starval>
     <final> ::= NULL | <value>

   <attr> is a string representing an AttributeType, and has the format
   defined in [1].  <value> is a string representing an AttributeValue,
   or part of one, and has the form defined in [2].  If a <value> must
   contain one of the characters '*' or '(' or ')', these characters
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   should be escaped by preceding them with the backslash '\' character.

3.  Examples

   This section gives a few examples of search filters written using
   this notation.

     (cn=Babs Jensen)
     (!(cn=Tim Howes))
     (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
     (o=univ*of*mich*)

4.  Security Considerations

   Security issues are not discussed in this memo.
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